Drew Morris asked, and Christian Warden answered:

Exim configuration for SMTP AUTH against dbmail database is pretty straight forward.

begin authenticators

plain:

driver = plaintext
public_name = PLAIN
server_condition = ${lookup mysql{SELECT user_idnr FROM users WHERE userid = '${quote_mysql:$2}' AND passwd = '${quote_mysql:$3}'}{1}fail}
server_set_id = $2
server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}

login:

driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${lookup mysql{SELECT user_idnr FROM users WHERE userid = '${quote_mysql:$1}' AND passwd = '${quote_mysql:$2}'}{1}fail}
server_set_id = $1
server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}

cram_md5:

driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup mysql{SELECT passwd FROM users WHERE userid = '${quote_mysql:$1}'}{$value}fail}
server_set_id = $1

spa:

driver = spa
public_name = NTLM
server_password = ${lookup mysql{SELECT passwd FROM users WHERE userid = '${quote_mysql:$1}'}{$value}fail}

(0000435) aaron 11-Dec-04 01:07

Blake Mitchell said:

We had to rebuild postfix to use SASL then from main.cf:

…. # SMTP SERVER CONTROLS

# The smtpd_sasl_auth_enable parameter controls whether SMTP client # authentication is enabled in the Postfix SMTP server. By default, # the Postfix SMTP server does not use authentication. # # If an SMTP client is authenticated, then the permit_sasl_authenticated # access restriction can be used to permit relay access, like this: # # smtpd_recipient_restrictions = permit_sasl_authenticated, … # # To reject all SMTP connections from unauthenticated clients, # specify smtpd_delay_reject=yes (which is the default) and use: # # smtpd_client_restrictions = permit_sasl_authenticated

smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

# # In order to enable server-side authentication, build Postfix with # SASL support, and install a configuration file /usr/lib/sasl/smtpd.conf # (SASL version 1) or /usr/lib/sasl2/smtpd.conf (SASL version 2) with # as contents, for example, # # pwcheck_method: sasldb # # or whatever method is suitable for your environment: PAM, shadow, # etc. If you use sasldb, you can add users with the “saslpasswd” # command that comes with the SASL library. If you configure Postfix # to use PAM, the PAM service name for SASL authentication is “smtp”, # and adding users depends entirely on how PAM is set up. # # If you run your SMTP server chrooted, then you need to copy PAM # and/or SASL support libraries and data files into the chroot jail. # That's a lot of files, and it seems not very practical to do so. # smtpd_sasl_auth_enable = yes #smtpd_sasl_auth_enable = no

# The smtpd_sasl_security_options parameter controls what authentication # mechanisms the Postfix SMTP server will offer to the client. The # list of available authentication mechanisms is system dependent. # # Specify zero or more of the following: # # noplaintext: disallow methods that use plaintext passwords # noactive: disallow methods subject to active (non-dictionary) attack # nodictionary: disallow methods subject to passive (dictionary) attack # noanonymous: disallow methods that allow anonymous authentication # # An additional option is available in SASL version 2: # # mutual_auth: only allow methods that provide mutual authentication # # By default, the Postfix SMTP server accepts plaintext passwords but # not anonymous logins. # # HORROR! It appears that clients try authentication methods in the # order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) # which means that if you disable plaintext passwords, clients will # log in anonymously, even when they should be able to use CRAM-MD5. # So, if you disable plaintext logins, disable anonymous logins too. # Postfix treats anonymous login as no authentication. # #smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_security_options = noanonymous

# The smtpd_sasl_local_domain parameter specifies the name of the # local authentication realm. # # By default, the local authentication realm name is the name of the # machine. # #smtpd_sasl_local_domain = $mydomain smtpd_sasl_local_domain = $myhostname ….

blake@sls-cd7p8:~$ cat /usr/lib/sasl/smtpd.conf pwcheck_method:PAM

blake@sls-cd7p8:~$ cat /etc/pam.d/smtp #%PAM-1.0 auth required /lib/security/pam_mysql.so user=root db=dbmail table=dbmail_users usercolumn=userid passwdcolumn=passwd account required /lib/security/pam_mysql.so user=root db=dbmail table=dbmail_users usercolumn=userid passwdcolumn=passwd

This is on RedHat 7.3.

(0000436) aaron 11-Dec-04 01:08

Wolfram Kraushaar said:

For SMTP-Auth with Postfix 2.1.5 and cyrus-sasl 2.1.20 and a DBMail MySQL-Backend I use the following settings:

prerequisites: - Cyrus-SASL was built with support for MySQL and PostgreSQL - Postfix was built with support for Cyrus-SASL, MySQL and PostgreSQL

In Postfix's main.cf:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain,reject_non_fqdn_sender, permit_sasl_authenticated,reject_unauth_destination

In Cyrus-SASL's /usr/local/lib/sasl2/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: login plain cram-md5 digest-md5
sql_engine: mysql
sql_hostnames: <dbmail-dbhost>
sql_user: <dbmail-dbuser>
sql_passwd: <dbmail-dbpass>
sql_database: <dbmail-dbname>
sql_select: select passwd from dbmail_users where userid = '%u'
      AND userid != '__@!internal_delivery_user!@__'
      AND userid != 'anyone'
      AND userid != '__public__'
      AND passwd IS NOT NULL
      AND passwd != ''

As a sidenote: You can not use encryption for the dbmail user-passwords in the database if you want cyrus-sasl to use the dbmail-database as authentication backend.

(0000775) cwarden 17-Jul-05 19:19

The spa authenticator for Exim was missing a line. It should be:

spa:

driver = spa
public_name = NTLM
server_set_id = $1
server_password = ${lookup mysql{SELECT passwd FROM users WHERE userid = '${quote_mysql:$1}'}{$value}fail}
 
smtp_auth/otherstuff.txt · Last modified: 2011/08/25 18:19 by michaelbibby
 
DBMail is developed by Paul J Stevens together with developers world-wide